Stolen email passwords of 272 million Gmail, Hotmail and Yahoo accounts being traded by Russian hackers

The huge database is one of the biggest ever discovered

Doug Bolton
Friday 06 May 2016 12:15 BST
Participants work at their laptops at the annual Chaos Computer Club (CCC) computer hackers' congress in Hamburg in 2012
Participants work at their laptops at the annual Chaos Computer Club (CCC) computer hackers' congress in Hamburg in 2012

Login details for over 272 million Gmail, Hotmail and Yahoo accounts are being traded by Russian cybercriminals, it has been revealed.

According to research from cybersecurity firm Hold Security, the vast majority of leaked login credentials relate to, Russia's most popular email service.

However, Reuters reports that millions of Google, Yahoo and Microsoft email accounts have also been stolen, affecting internet users across the world.

It's one of the biggest uncovered stashes of stolen login credentials in internet history, and users are rightly worried.

Hold Security claims it came across the database on a Russian hacker forum, where one user was bragging that he had obtained the details for around 1.17 billion email accounts.

After combing through the database, the firm found the real number was much smaller, but some companies have still been badly hit. The cache reportedly contains 57 million accounts, affecting a majority of the service's 64 million active users.

Stolen passwords can fetch a good price on the black market, but the Russian hacker was only asking for 50 roubles (around 52p) for the entire trove. He eventually handed the cache over to Hold Security researchers after they said they would post favourable comments about him on the internet, to stay in line with their policy of never paying for stolen data.

Speaking to the news agency, Hold Security founder Alex Holden said: "This information is potent. It is floating around in the underground and this person had shown he's willing to give the data away to people who are nice to him."

"These credentials can be abused multiple times," he added.

The stolen logins can obviously be used to access email accounts, but users who tend to have the same password for multiple websites are even more vulnerable.

Users concerned about the leak would be wise to change their passwords, start using different passwords for different accounts, and enrol in two-step verification on supporting sites.

Now, is analysing the password database, to check if the entries actually match up to user accounts.

Anonymous declares war on Donald Trump

A Microsoft spokesperson said: "Unfortunately, there are places on the internet where leaked and stolen credentials are posted, and when we come across these or someone sends them to us, we act to protect customers. Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access to their account.”

The Independent has contacted Google and Yahoo for comment.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in